RebateFi Hook
First Flight #53
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Owner can withdraw arbitrary tokens (including LP/pool tokens)

muhammadzaid

Root + Impact

Description

  • Restricts which tokens can be withdrawn, where they can go, and checks the transfer result, reducing rug‑pull and mis‑routing risk.

  • Explain the specific issue or problem in one or more sentences

withdrawTokens lets the owner transfer any ERC20 from the hook to any address, enabling draining of all assets held by the hook.

Risk

Likelihood:

  • Reason 1 Occurs whenever the hook holds ERC20 balances and the owner decides (or is forced by a compromise) to drain them.

  • Reason 2 Appears because users may not realize the hook has this power and still send value to it.

Impact:

  • Impact 1 Funds in the hook can be pulled to an external address by the owner/attacker.

  • Impact 2 Confidence in the protocol and integrations is reduced due to strong centralization.

Proof of Concept

After tokens accumulate in the hook, the owner calls withdrawTokens(tokenAddress, owner, fullBalance) and transfers all assets from the hook to the owner in a single transaction.

Recommended Mitigation

- remove this code
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
IERC20(token).transfer(to, amount);
emit TokensWithdrawn(to, token, amount);
}
+ add this code
function withdrawTokens(address token, address to, uint256 amount) external onlyOwner {
require(to == owner(), "withdraw to owner only");
require(token != ReFi, "cannot withdraw ReFi from hook");
require(amount > 0, "amount = 0");
bool ok = IERC20(token).transfer(to, amount);
require(ok, "transfer failed");
emit TokensWithdrawn(token, to, amount);
}
Updates

Lead Judging Commences

chaossr Lead Judge 12 days ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!